By using AWS re:Post, you agree to the AWS re:Post Terms of Use

IAM users/roles/groups policies reports

0

We'd like to export IAM roles/users/groups policies report across multiple AWS accounts. What is the best way of doing this? I know there is an IAM credential report option; however, that would not be ideal for multiple accounts (hundreds).

1 Answer
3
Accepted Answer

Currently there is no out of the box integration to centrally pull that off.

One workaround is that you use Lambda functions pulling report through API and storing them either in a DB or a S3 bucket, optionally publish to SNS, and either deploy them into each accounts using IaC tools like CloudFormation, or creating roles and grant permissions to a centralized Lambda in each child account.

You will need to balance ease of making update to your Lambda vs maintaining cross account permissions when decide which approach to take.

I do want to mention you might want to take a step back and see why you want such a report. Have you enabled other tools such as GuardDuty, Detective, Inspector and Security Hub? Those services have integrations with AWS Organizations and can be an important part of a layered approach to security.

Also, check with your account manager and arrange a security review with either your account solutions architect, TAM, or a specialist from AWS.

answered 3 years ago
profile picture
EXPERT
reviewed 7 months ago
  • Thanks for your answer, Jason. Security services wise we have relevant services enabled and integrated. What we needed was to have a consolidated list of IAM users/roles/groups and policies with them. I was thinking whether a workaround could be having IAM Access Analyser enabled via Org and then be able to export IAM related findings across all accounts.

  • It depends on what level of report you are looking for and what resources. For example, IAM Access Analyser only support certain resources such as S3, IAM roles, KMS keys etc. Also it will not give you a complete report as to all the roles, groups, users and policies. That being said, it is a great tool to enable within the AWS Organizations and get insights into some of the key areas you want to understand the access levels.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions